Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Fiqri_kurniawan
Participant
Jump to solution

Internal Certificate User VPN CAPI Automatically Renewal

Dear All,

May we always be given health.

I use the Internal certificate in VPN Client Environment. For the default expired user certificate is 2 years. For now, we want to know, if the user certificate has been expired, it will be automatically renewal?

Because, I see the SK in the configuration tab in : https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_RemoteAccessVPN_AdminGuid...

Please go to the "To configure automatic certificate renewal"

Or maybe some of you all have experienced that the user certificate will expired, does it automatically renew or do you have to generate a new key?

 

Thanks and Regads,

Fiqriardhi Kurniawan

0 Kudos
1 Solution

Accepted Solutions
Tobias_Moritz
Advisor

If you enable automatic renewal the way the guide you linked to shows, it will work.

I saw it working in multiple environments.

However, there is one caveat:

The renewal is only done when the client is connecting to VPN.

Assuming you have configured renewal 60 days before expiry:

Scenario 1:

Cert will expire in 90 days. Client connects. Cert is not renewed.

Client does not use VPN for the next 60 days.

Now cert will expire in 30 days. Clients connects. Cert is renewed during this process.

Client does not use VPN for the next 40 days.

Old cert was expired 10 days ago, but new cert is available on the client. Client connects using the new cert automatically.

 

Scenario 2:

You have configured renewal 60 days before expiry.

Cert will expire in 90 days. Client connects. Cert is not renewed.

Client does not use VPN for the next 100 days.

Now cert was expired 10 days ago. Client tries to connect and fails because cert is not valid anymore. No renewal possible anymore.

 

Conclusion: Tune the "renewal in xx days before expiry" option according to your needs.

View solution in original post

7 Replies
Tobias_Moritz
Advisor

If you enable automatic renewal the way the guide you linked to shows, it will work.

I saw it working in multiple environments.

However, there is one caveat:

The renewal is only done when the client is connecting to VPN.

Assuming you have configured renewal 60 days before expiry:

Scenario 1:

Cert will expire in 90 days. Client connects. Cert is not renewed.

Client does not use VPN for the next 60 days.

Now cert will expire in 30 days. Clients connects. Cert is renewed during this process.

Client does not use VPN for the next 40 days.

Old cert was expired 10 days ago, but new cert is available on the client. Client connects using the new cert automatically.

 

Scenario 2:

You have configured renewal 60 days before expiry.

Cert will expire in 90 days. Client connects. Cert is not renewed.

Client does not use VPN for the next 100 days.

Now cert was expired 10 days ago. Client tries to connect and fails because cert is not valid anymore. No renewal possible anymore.

 

Conclusion: Tune the "renewal in xx days before expiry" option according to your needs.

Fiqri_kurniawan
Participant

Hello Tobias_Moritz,

Thank you for giving a good response.Okay, I have started to understand your parable.
Most of my customers always connect every day. So maybe I can focus on Scenario 1.

But there is one thing I want to make sure. The question is, if the user expires in the next 90 days, and the automatic renewal time is set at 60 days, when there are only 5 days left from the expiration time they try to connect, of which 5 days are still included in the 60 days automatic renewal part. That means automatic renewal is still possible, right?

Or the user must really try connect D-60 before the certificate expires?

 

Thanks

0 Kudos
Fiqri_kurniawan
Participant

In my understanding, the D-60 user doesn't necessarily have to connect for automatic renewal. As long as it is still in the pre-expiry stage, it will continue to automatic renewal.

0 Kudos
Tobias_Moritz
Advisor

When a user is connecting with a cert which expiration date is within the renewal period, it is renewed. No matter how many days left, as soon its in the period.

Also please make sure not to mix up user expiration with certificate expiration. An expired user account cannot connect to VPN even if cert is not expired and the other way around.

Cert is renewed automatically. User expiration date has to modified manually.

One additional note for users who connect their VPN over restricted hotspots (hotel, airport, ...):

While for the VPN functionality of Endpoint Security VPN tcp/443 is enough (and having udp/4500 available makes it better), for automatic cert renewal to work you also need tcp/18264.

On Check Point gateway side, an implied rule makes sure this is working. However when your users are on restricted hotspots where this port is blocked, cert renewal will not work for them. Same goes for initial cert rollout with enrollment key.

0 Kudos
Fiqri_kurniawan
Participant

Hallo Tobias,

Thank you for your explanation. Your explanation convinced me that the configuration will work as it should.

Yes, I agree with you about the difference between an expired user object and an expired user certificate.

Thank you. Hope this will help others.

 

Regards,

Fiqriardhi Kurniawan

0 Kudos
Thomas_Eichelbu
Advisor
Advisor

Hello,

i found something interessting related to this topic!

A customer is authenticating Client VPN with certificates, they get enrolled by the internal CA of the SMS.
all superfine.

since a couple of days, the users gets a NEW certificate everytime they connect to the GW.
The list of revoked certificates on the ICA tool is tremendous ...
funny thing, they ALL end on the same day!

the same day the internal IPSec certificate ends, yes of course! 🙂

but clicking the renew button in the GW properties did not help, the start date was renewed, but the end date was still the same ..
so the IPSec certificate will expire in 47 days it says ...
in the global properties, the renewel time was 60 days, default settings.
thats precise the time when the costumer said the issue started. 13 days ago!


thinking, thinkin, look at that:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

an advisory was sent some time ago that the ICA certificate has to be renewed manually with a script ...

and also consider this:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
to extend new VPN certificates if required to a longer period then default.

 

so this helps here!


0 Kudos
Fiqri_kurniawan
Participant

Hello Tobias,

Welcome back.

For now, when I used R81.20 in management, the option of certificate is gone from global properties. Do you know about this certificate user CAPI will keep automatically renewal?

Thanks

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events